Whats your take on this Spammer?

[trout21]

Hello,

I have searched around in the forums and have done everything that I found that I hadn't thought of; followed Chirpys guide to tracking down a spammer especially; re-compiled apache with phpsuexec to see if it was a rouge script - I can't find any evidence in the logs pointing to anything ...

[SIZE="4"]2006-11-14 04:37:50 H=(he108war.uk.vianw.net) [195.102.244.139] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:39:05 H=(mta427.mail.mud.yahoo.com) [209.191.88.166] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:39:45 H=(c-68-37-22-212.hsd1.de.comcast.net) [68.37.22.212] sender verify defer for <[email protected]>: host lookup did not complete
2006-11-14 04:39:45 unexpected disconnection while reading SMTP command from (c-68-37-22-212.hsd1.de.comcast.net) [68.37.22.212]
2006-11-14 04:40:03 H=(MailMarshall.sparcc.org) [208.108.208.15] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:40:21 H=(mail.winninggifts.com) [207.159.143.98] sender verify fail for <[email protected]>: response to "MAIL FROM:<>" from mail.winninggifts.com [207.159.143.98] was: 501 bogus mail from
2006-11-14 04:40:21 H=(mail.winninggifts.com) [207.159.143.98] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2006-11-14 04:40:21 unexpected disconnection while reading SMTP command from (mail.winninggifts.com) [207.159.143.98]
2006-11-14 04:41:22 H=(mailx.hoster.ru) [195.128.50.36] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:41:35 H=(smtp-outbound2.host.net) [64.135.6.8] F=<[email protected]> rejected RCPT <[email protected]>: 
2006-11-14 04:41:35 unexpected disconnection while reading SMTP command from (smtp-outbound2.host.net) [64.135.6.8]
2006-11-14 04:41:55 H=(mccoy.izr.com) [195.26.37.7] sender verify defer for <[email protected]>: could not connect to mccoy.izr.com [195.26.37.7]: Connection refused
2006-11-14 04:41:55 H=(mccoy.izr.com) [195.26.37.7] F=<[email protected]> temporarily rejected RCPT <[email protected]>: Could not complete sender verify callout
2006-11-14 04:42:44 H=(141179312) [216.57.173.162] sender verify fail for <[email protected]>: response to "MAIL FROM:<>" from eforward2.name-services.com [216.52.184.242] was: 551 invalid address
2006-11-14 04:42:44 H=(141179312) [216.57.173.162] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2006-11-14 04:42:44 unexpected disconnection while reading SMTP command from (141179312) [216.57.173.162]
2006-11-14 04:43:28 H=(spiexch.spi-intranet.com) [67.104.79.98] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:44:12 H=([219.131.233.159]) [219.131.237.118] sender verify defer for <[email protected]>: Could not complete sender verify callout
2006-11-14 04:44:12 unexpected disconnection while reading SMTP command from ([219.131.233.159]) [219.131.237.118]
2006-11-14 04:44:31 H=(gorge) [221.208.141.100] sender verify fail for <[email protected]>: response to "RCPT TO:<[email protected]>" from mailhost.kingfeatures.com [69.44.168.240] was: 550 [email protected] unknown user account
2006-11-14 04:44:31 H=(gorge) [221.208.141.100] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2006-11-14 04:44:34 H=(mail.doheny.com) [67.52.56.50] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:45:02 H=(mccoy.izr.com) [195.26.37.7] sender verify defer for <[email protected]>: could not connect to mccoy.izr.com [195.26.37.7]: Connection refused
2006-11-14 04:45:07 H=(exs1.whitereasor.com) [71.16.201.142] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:45:11 1GjqAZ-0007fF-Cq <= [email protected] H=(81-208-83-236.fastres.net) [81.208.83.236] P=esmtp S=4380 [email protected] T="save up to 70% on the medications for your need"
2006-11-14 04:45:14 1GjqAZ-0007fF-Cq Completed
2006-11-14 04:46:07 H=(DERUSAHPR006.eds.de) [192.85.16.85] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:46:34 H=(host01.frontechost.com) [216.246.45.85] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:46:43 H=(mail.delta.com.ba) [195.222.45.22] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:47:12 H=(mx6.pacifier.net) [64.255.237.186] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:47:25 H=(wip-ectls-mx1.wipro.com) [203.91.193.21] F=<> rejected RCPT <[email protected]>: 
2006-11-14 04:48:18 H=(dmi-web01.demandsolutions.com) [63.246.20.75] F=<> rejected RCPT <[email protected]>: [/SIZE]

Note I have replaced my domain with mydomain.com.

Is there anything else that I can try to track this down? exim_mainlog is just filling non-stop with these sorts of entries!! The F=<> rejected RCPT is only now there as I am only now using :fail: to rid myself of these emails.

Thank you for any assistance in this matter.

 

[kernow]

2006-11-14 04:39:05 H=(mta427.mail.mud.yahoo.com) [209.191.88.166] F=<> rejected RCPT<[email protected]>

The above is not comming from your server .
We get dozens of these a day. If you see you have loads from the same IP address, then install Chirpys "Dictionary attack" script;
http://www.configserver.com/free/eximdeny.html

 

[trout21]

Thanks for the reply. I was needing a second opinion on the very thing you commented on.

I've now put in place the exim_deny script and am scouring through the logs again.

I'm pretty dejected about this! Don't particularly want my domain being used to spam... even if it's a forged header!!